The present invention generally relates to detecting the use of software, and more specifically, to the dynamic detection of an intrusive anomalous use of computer software.
The literature and media abound with reports of successful violations of computer system security by both external attackers and internal users. These breaches occur through physical attacks, social engineering attacks, and attacks on the system software. In a system software attack, the intruder subverts or bypasses the security mechanisms of the system in order to gain unauthorized access to the system or to increase current access privileges. These attacks are successful when the attacker is able to cause the system software to execute in a manner that is typically inconsistent with the software specification and thus leads to a breach in security.
Intrusion detection systems monitor some traces of user activity to determine if an intrusion has occurred. The traces of activity can be collated from audit trails or logs, network monitoring or a combination of both. Once the data regarding a relevant aspect of the behavior of the system are collected, the classification stage starts. Intrusion detection classification techniques can be broadly catalogued in the two main groups: misuse intrusion detection, and anomaly intrusion detection. The first type of classification technique searches for occurrences of known attacks with a particular xe2x80x9csignature,xe2x80x9d and the second type searches for a departure from normality. Some of the newest intrusion detection tools incorporate both approaches.
One prior art system for detecting an intrusion is the EMERALD(trademark) program. EMERALD defines the architecture of independent monitors that are distributed about a network to detect intrusions. Each monitor performs a signature or profile analysis of a xe2x80x9ctarget event streamxe2x80x9d to detect intrusions and communicates such detection to other monitors on the system. The analysis is performed on event logs, but the structure of the logs is not prescribed and the timeliness of the analysis and detection of an intrusion depends on the analyzed system and how it chooses to provide such log data. By monitoring these logs, EMERALD can thus determine that at some point in the event stream that was recorded in the log, an intrusion occurred. However, the detection is generally not implemented in real time, but instead occurs at some interval of time after the intrusion. Also, this prior art system does not allow monitoring of all types of software activity, since it is limited to operating system kernel events. Accordingly, it would be desirable to provide a real time intrusion detection paradigm that is applicable to monitoring almost any type of program.
It would be preferable to detect an intrusion based on the measurement of program activity as control is passed among program modules. As a system executes its customary activities, the intrusion detection scheme should estimate a nominal system behavior. Departures from the nominal system profile will likely represent potential invidious activity on the system. Since unwanted activity may be detected by comparison of the current system activity to that occurring during previous assaults on the system, it would be desirable to store profiles for recognizing these activities from historical data. Historical data, however, cannot be used to recognize new kinds of assaults. An effective security tool would be one designed to recognize assaults as they occur through the understanding and comparison of the current behavior against nominal system activity. Currently, none of the prior art techniques fully achieve these objectives.
The present invention represents a new software engineering approach to intrusion detection using dynamic software measurement to assist in the detection of intruders. Dynamic software measurement provides a framework to analyze the internal behavior of a system as it executes and makes transitions among its various modules governed by the structure of a program call graph. A target system is instrumented so that measurements can be obtained to profile the module activity on the system in real time. Essentially, this approach measures from the inside of a software system to make inferences as to what is occurring outside of the program environment. In contrast, the more traditional approach of the prior art measures or profiles system activity from system log files and other such patterns of externally observable behavior.
Program modules are distinctly associated with certain functionalities that a program is capable of performing. As each functionality is executed, it creates its own distinct signature of transition events. Since the nominal behavior of a system is more completely understood while it is executing its customary activities, this nominal system behavior can be profiled quite accurately. Departures from a nominal system profile represent potential invidious activity on the system. New profiles of intrusive behavior can be stored and used to construct an historical database of intrusion profiles. However, these historical data cannot be used as a basis for the recognition of new types of assaults. The present invention is designed to recognize assaults as they occur through the understanding and comparison of the current behavior against nominal system activity.